Rob's Blog

“HTTP Acrobat PDF Suspicious File Download” – False Positives?

Note: There is now a potential solution for this – see the bottom of the post.

Today when browsing the web, I started to get notifications from Norton Antivirus telling me a malicious worm was blocked. I get these occasionally, so thought nothing of it the first time, but they kept coming up, and I realised I was only browsing sites I trusted (eBay, Wikipedia etc). I clicked on “More Details” to look at what was going on.

The Risk being reported (and blocked) was HTTP Acrobat PDF Suspicious File Download. The sites supposedly making this intrusions attempt include:

  • eBay (My Ebay)
  • Wikipedia (Only when I’m logged in – I have Popups installed on my profile)
  • My WordPress “Write Post” page (I had to disable the antivirus to let me write this!)

Symantec blocks the Javascript which makes certain things not function correctly (the Popups on Wikipedia, the WYSIWYG editor on WordPress).
I can fairly confidently say that these three sites aren’t trying to attack my computer! I think Symantec need to adjust their definitions pretty urgently – I can’t be the only one getting these false Positives!

[Update]: I’ve found it also affects Google Maps!

[Update 2]: This seems to affecting loads of sites, and this post is getting hundreds of hits no it’s appearing on Google. Scott Clark has posted a screenshot of the problem on Flickr.

[Update 3]: JasonC has posted a possible solution. I have a slightly different version of NAV, and this is how I fixed it:

  1. Opened Norton Antivirus (double clicked on the icon in the system tray)
  2. Clicked “Settings” on the internet section
  3. Clicked “Configure [+]” next to “Intrusion Exclusions”
  4. Scrolled down to “HTTP Acrobat PDF Suspicious File Download”, and unchecked it
  5. Clicked “OK” on all open screens.

Note, this may leave you open to this particular worm, do so at your own risk. (See update below – this shouldn’t be required any more)

[Update 4]: Symantec claim to be working on a fix for this.

[Update 5 (2008-12-11)]: This now apears to be fixed in the latest Live Update. If you have applied the fix suggested above, I suggest you undo this (after running Live Update) to ensure your computer is fully protected.

Rob Ferrer

, , , , ,

68 responses to ““HTTP Acrobat PDF Suspicious File Download” – False Positives?”

Newer Comments »

  1. I’m getting the same trouble – for several trusted sites including Google News. Looks like it all started after Symantec issued an update earlier this morning.

  2. @ Graham: Interestingly I get the same when I visit your site! Looks like it’s the open social application in this case.

    I think it’s pretty widespread, given the number of visits I’m getting to this post, and it’s not even on Google yet! Hopefully they’ll notice and fix it – I can’t see a “Report False Positive” feature.

  3. Just been on a support session with Symantec and told them they must be getting other reports about this. The response was “I accept that”. So hopefully they will sort it soon.

  6. Found this by doing a web search. I’m getting them left and right myself all of a sudden today. Do notice it references admunch.exe (from Ad Muncher) when doing most blocks, too.

    Can’t believe I’m legitimately getting attacked from all these places. Must be a problem on Symantec’s end.

  8. Nice post! Just googled this term and came up with your article.
    yes, NAV stuffed it up again this time. all javascripts go awry on my browser after i receive the notification.

  9. We have problem with several sites aswell. Do anyone know what is triggering this “false positive”?

  10. @Marcus: I think it’s a problem with a recent Norton update falsely identifying lots of different code as an intrusion, It doesn’t seem to be any specific JS library – I’ve seen it block both jQuery and Prototype (although not all versions of either).

  13. @Stuckinit: I’m no virus expert, but looking at the list of sites causing it, I think it’s unlikely this is being caused by a virus on your computer.

  14. I just disabled the Internet Worm Protection temporary.
    Norton screen->Norton Antivirus tab->Settings->Web Browsing->Internet Worm Protection
    Don’t think it’s an actual virus….unless I’m unconsciously writing a virus on my own web application..hohoho…

  15. @JasonC: I don’t seem to have the same settings as you, but I’ve found another way to fix it – without fully turning off worm protection. I’ll add it to the main post.

  16. Rob,

    I just wanted to say thanks for posting this. It’s good to know I’m not the only one experiencing the problem, although I suspected it was a false positive as well. I’ll call Symantec and tell them to send you a cheque for your fantastic support / customer communications efforts! 😉

  17. me too, just got it for the google sandbox application I’ve been working on. It said google was attacking me from cf-in-f104.google.com

  18. Hi,

    It all started for me after a visit to an Ebay store this morning. I even had tried Live help with an Ebay representative to tell em they should check that sellers pages, because it triggered alerts from Norton. I even disabled the warnings from Norton, thankfully not disabled the blocking, as that would have been a stupid reaction.

    Thank god, its almost surely only a false positive.

  20. ahh…not sure what version I’m using..
    after reading your solution, I dug deeper in the configuration of my Norton and found similar solution to yours.
    (they’ve hidden the settings screen nicely in my version)

    Norton screen->Norton Antivirus tab->Settings->Web Browsing->Internet Worm Protection->Configure:
    Real-time Protection->Internet Worm Protection->Configure->uncheck “HTTP Acrobat PDF Suspicious File Download”

  21. I’m getting the same message from Norton. I ran the update last night and this just started this morning. Every time I visit CNN.com, Norton blocks an attack from an HTTP Acrobat PDF Suspicious File Download. This is crazy.

  22. Run Live Update again. I was having the same problems. It appears they have now put out a fix and I am no longer having problems.

  24. I got a hold of someone at Norton. They said “yes, it is a common issue”. He gave me the following to correct it. I do not know it works. I will be trying it, but thought you might like it as well

    Step 1: You can download the Norton Anti virus 2009 from the web link http://www.norton.com/nav09 , you need to remove your old Norton before installing the new one , you can use the Norton removal tool to remove your old
    Norton files , you can use the web link http://www.symantec.com/nrt to download the Norton removal tool.

    Step 2: after completing the both downloads ( Norton anti virus 2009, removal tool ) you need to run the Removal tool
    first to remove the old Norton files, after removal it will ask you to restart your computer , restart your computer

    Step 3 : After restart you can start installing the Norton anti virus 2009, and activate the product using your
    product key.

  25. Hmmmmmmmmm – I am already running 2009 and I have had the problem all day even after rerunning Live Update !!!????

  26. Which by the way, i think is ridiculous to have us reinstall a product, in which they have a liveupdate program that is used for just that reason.

  27. Mine is 2009 too (v16.1.0.33). I doubt the above will work. I’m not trying it anyway.

    Incidentally, my other machine (which has 2008 on it) has no problems, but I don’t think it has the latest definitions (they aren’t released as quickly for 2008)

  29. I get the same error. I think the new live update screwed me over. I’m unable to get to several real estate web sites. Looks like the google maps portion using javascript. I hope Symantec or Norton fixes this quick. It’s like releasing a new car with square wheels.

  33. After the next update I would turn the option back on and see if the problem has been resolved. Symantec wanted 175$ to troubleshoot the problem further.

  37. Just lovely! I am having the same problem – and sent a “customer satisfaction” note to Symantec. Absent information about known viruses, a hypersensitive block us just *irritating*. I can do with a little less “big brother”. :-/

  41. This is strange, I went to CNN and it gives me that error. And the funning thing is when I view the source code of that page and search for .pdf, it doesn’t find anything.

  43. I’m using a JavaScript library named MooTools.js. Symantec blocks my site I have it. When I comment out MooTools Symantec lets it pass.

    So, Symantec is blocking my JavaScript library.

    Thanks for the blog.

  46. @Jestan: If you are listing every site that has problems, you could be some time – a huge number of sites have this isseu, including a lot of the ones that use the popular jQuery, Prototype or Mootools libraries. I do’nt think we need to list every one here – thanks for the input though

  47. I got this problem too. But not with my second computer without Norton on it (I use mcafee).

    Very strange !

  49. had this problem this morning. Spoke with tech support.
    They are working on it according to the rep in India
    The workaround seems to be for now
    JasonC has posted a possible solution. I have a slightly different version of NAV, and this is how I fixed it:

    Opened Norton Antivirus (double clicked on the icon in the system tray)
    Clicked “Settings” on the internet section
    Clicked “Configure [+]” next to “Intrusion Exclusions”
    Scrolled down to “HTTP Acrobat PDF Suspicious File Download”, and unchecked it
    Clicked “OK” on all open screens.
    It worked and I started getting this on things like CNN, MSN, Dailyrecord.com and most media places.

Newer Comments »

Leave a Reply

Your email address will not be published. Required fields are marked *